Arch Linux Security Advisory ASA-201706-2

Severity: High
Date : 2017-06-02
CVE-ID : CVE-2017-9148
Package : freeradius
Type : authentication bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-281

Summary

The package freeradius before version 3.0.14-3 is vulnerable to
authentication bypass.

Resolution

Upgrade to 3.0.14-3.

pacman -Syu “freeradius>=3.0.14-3”

The problem has been fixed upstream in version 3.0.14.

Workaround

None.

Description

A security issue has been found in FreeRADIUS < 3.0.14. The
implementation of TTLS and PEAP in FreeRADIUS skips inner
authentication when it handles a resumed TLS connection. This is a
feature but there is a critical catch: the server must never allow
resumption of a TLS session until its initial connection gets to the
point where inner authentication has been finished successfully.
Unfortunately, affected versions of FreeRADIUS fail to reliably prevent
resumption of unauthenticated sessions unless the TLS session cache is
disabled completely and allow an attacker (e.g. a malicious supplicant)
to elicit EAP Success without sending any valid credentials.

Impact

A remote user can bypass authentication by starting then resuming an
unauthenticated TLS session.

References

http://freeradius.org/press/index.html#3.0.14
http://seclists.org/oss-sec/2017/q2/342
https://security.archlinux.org/CVE-2017-9148